Back to cryptonue's contests

Blur Exchange contest - cryptonue's results

An NFT exchange for the Blur marketplace.

General Information

Platform: Code4rena

Start Date: 05/10/2022

Pot Size: $50,000 USDC

Total HM: 2

Participants: 80

Period: 5 days

Judge: GalloDaSballo

Id: 168

League: ETH

Blur Exchange

Findings Distribution

Researcher Performance

Rank: 42/80

Findings: 1

Award: $114.82

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBlur Exchange

Findings Information

🌟 Selected for report: dipp

Also found by: 0x4non, 0x52, 0xRobocop, 0xc0ffEE, 8olidity, Ch_301, Jeiwan, Junnon, KIntern_NA, Lambda, M4TZ1P, MiloTruck, Nyx, PaludoX0, Ruhum, RustyRabbit, Soosh, TomJ, Trust, arcoun, aviggiano, bardamu, cryptonue, csanuragjain, d3e4, enckrish, exd0tpy, hansfriese, jayphbee, joestakey, ladboy233, minhquanym, minhtrng, nicobevi, obront, polymorphism, rokinot, romand, rotcivegaf, rvierdiiev, saian, serial-coder, trustindistrust, zzykxx

Awards

114.8239 USDC - $114.82

Labels

bug
duplicate
3 (High Risk)
edited-by-warden

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L540 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/ExecutionDelegate.sol#L109 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L33 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L59

Vulnerability details

Impact

Order transaction of ERC1155 with intend to transfer x amount of token, will only send 1 token. This is a FATAL and HIGH severity issue as buyer will not get what they supposed to have.

Proof of Concept

File: execution.test.ts
099:     it('can transfer ERC1155', async () => {
100:       await mockERC1155.mint(alice.address, tokenId, 10);
101:       sell = generateOrder(alice, {
102:         side: Side.Sell,
103:         tokenId,
104:         amount: 5,
105:         collection: mockERC1155.address,
106:         matchingPolicy: matchingPolicies.standardPolicyERC1155.address,
107:       });
108:       buy = generateOrder(bob, {
109:         side: Side.Buy,
110:         tokenId,
111:         amount: 5,
112:         collection: mockERC1155.address,
113:         matchingPolicy: matchingPolicies.standardPolicyERC1155.address,
114:       });
115:       sellInput = await sell.pack();
116:       buyInput = await buy.pack();
117: 
118:       await waitForTx(exchange.execute(sellInput, buyInput));
119: 
120:       expect(await mockERC1155.balanceOf(bob.address, tokenId)).to.be.equal(5);
121:       await checkBalances(
122:         aliceBalance,
123:         aliceBalanceWeth.add(priceMinusFee),
124:         bobBalance,
125:         bobBalanceWeth.sub(price),
126:         feeRecipientBalance,
127:         feeRecipientBalanceWeth.add(fee),
128:       );
129:     });

the test script provide ERC1155 test with amount of 1, meanwhile the ERC1155 is designed to have x amount of tokenId y.

if we make the amount of order to be 5 in this example, this test will failed as the result would be 1, because inside the StandardPolicyERC1155.sol contract, the amount is ignored and hardcoded to be 1.

Tools Used

Hardhat test, VSCode

Update StandardPolicyERC1155.sol return of amount to the makerAsk.amount, or makerBid.amount

#0 - GalloDaSballo

2022-10-13T22:27:19Z

Dup of https://github.com/code-423n4/2022-10-blur-findings/issues/666

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter